Malware + Security News

Flashback Botnet is Adrift

Posted on by

In 2011, Intego’s Malware Research Team discovered OSX/Flashback.A, a trojan horse that used social engineering to trick users into installing a malicious Flash player package. Then in early 2012, Flashback spread to infect up to 600,000 machines, as new variants were using Java exploits and drive-by downloads. Today, our latest research shows that the Flashback botnet is adrift and still in the wild.

Once installed on a Mac, Flashback created a backdoor, allowing it to take almost any activity on the infected machine. Users with infected Macs are at risk of being exposed to an almost limitless variety of malicious actions, as hackers can access infected Macs and snoop on the user, copying usernames and passwords, and more.

The Apple Product Security Response team took serious actions in 2012 to mitigate the threat using XProtect and security updates (including a Malware Removal Tool), however, the botnet count was only divided by six according to our sinkhole. Since then, Apple quietly shut down domains, eventually acquiring all generated domains until end of year 2013, i.e. one domain name registered on five TLDs each day (.com, .net, .info, .in, .kz).

Now in 2014, it appears the Flashback botnet is silently adrift and still in the wild.

Intego purchased some of the command and control (C&C) server domain names to monitor the Flashback threat that infected hundreds of thousands of Macs. Beginning January 2, we studied those domains and our sinkhole servers recorded all connections from Macs where Flashback is still active and trying to contact the C&C servers.

Below is a screenshot of the Apache Server log:

Apache Server log screenshot shows the date of the http packet, the domain name used by the flashback malware, the URL, the Flashback version, and more

After recording for five days, we counted at least 22,000 infected machines. As of this morning, we counted 14,248 unique identifiers of the latest Flashback variants:

Version Count
sv:1 1,556
sv:2 1,813
sv:4 955
sv:5 9,924

While the domain names still registered by Apple and other security researchers are being closely monitored for now, the author can buy the domain names in the future, or the botnet could even slip into other malicious hands if the C&C server domains were no longer monitored by security researchers.

By design, Flashback is versatile; it is a nasty little malware. It is self-encrypted, and with the UUID of the infected machine it sends unique information about the machine owner to its command and control server, so targeted variants could already be in the wild.

Intego strongly encourages all Mac users to verify that their machine is not infected with Flashback. Mac users can download our top ranked antivirus product, Intego VirusBarrier, to find and remove any variant of Flashback, and any other malware on your Mac.